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Abstract 

We present a new algorithm for the problem of universal gathering mobile oblivious 
robots (that is, starting from any initial configuration that is not bivalent, using any number of 
robots, the robots reach in a finite number of steps the same position, not known beforehand) 
without relying on a common chirality. 

We give very strong guaranties on the correctness of our algorithm by proving formally 
that it is correct, using the COQ proof assistant. 

To our knowledge, this is the first certified positive (and constructive) result in the context 
of oblivious mobile robots. It demonstrates both the effectiveness of the approach to obtain 
new algorithms that are truly generic, and its managability since the amount of developped 
code remains human readable. 


1 Introduction 

Networks of mobile robots captured the attention of the distributed computing community, as 
they promise new applications (rescue, exploration, surveillance) in potentially dangerous (and 
harmful) environments. Since its initial presentation IfTSl . this computing model has grown in 
popularity and many refinements have been proposed (see ifTll for a recent state of the art). From 
a theoretical point of view, the interest lies in characterising the exact conditions for solving a 
particular task. 
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In the model we consider, robots are anonymous {i.e., indistinguishable from each-other), 
oblivious {i.e., no persistent memory of the past is available), and disoriented {i.e., they do not 
agree on a common coordinate system). The robots operate in Look-Compute-Move cycles. 
In each cycle a robot “Looks” at its surroundings and obtains (in its own coordinate system) 
a snapshot containing the locations of all robots. Based on this visual information, the robot 
“Computes” a destination location (still in its own coordinate system) and then “Moves” towards 
the computed location. Since the robots are identical, they all follow the same deterministic 
algorithm. The algorithm is oblivious if the computed destination in each cycle depends only 
on the snapshot obtained in the current cycle (and not on the past history of execution). The 
snapshots obtained by the robots are not consistently oriented in any manner (that is, the robots 
local coordinate systems do not share a common direction nor a common chirality). 

The execution model significantly impacts the solvability of collaborative tasks. Three dif¬ 
ferent levels of synchronisation have been considered. The strongest model itTSl is the fully 
synchronised (FSYNC) model where each phase of each cycle is performed simultaneously by 
all robots. On the other hand, the asynchronous model ifTTI (ASYNC) allows arbitrary delays 
between the Look, Compute and Move phases and the movement itself may take an arbitrary 
amount of time. In this paper, we consider the semi-synchronous (SSYNC) model ITU, which 
lies somewhere between the two extreme models. In the SSYNC model, time is discretised into 
rounds and in each round an arbitrary subset of the robots are active. The robots that are active 
in a particular round perform exactly one atomic Look-Compute-Move cycle in that round. It is 
assumed that the scheduler (seen as an adversary) is fair in the sense that it guarantes that in any 
configuration, any robot is activated within a finite number of steps. 

Related Work. The gathering problem is one of the benchmarking tasks in mobile robot net¬ 
works, and has received a considerable amount of attention (see IfTTI and references herein). The 
gathering tasks consists in all robots (considered as dimensionless points in a Euclidian space) 
reaching a single point, not known beforehand, in finite time. A foundational result HUlll shows 
that in the FSYNC or SSYNC models, no oblivious deterministic algorithm can solve gathering 
for two robots without additional assumptions IfTTI . This result can be extended ifTSl ISl to the bi¬ 
valent case, that is when an even number of robots is initially evenly split in exactly two locations. 
On the other hand, it is possible to solve gathering if n > 2 robots start from initially distinct po¬ 
sitions, if robots are endowed with multiplicity detection: that is, a robot is able to determine the 
number of robots that occupy a given position. While probabilistic solutions ifTSl [T2]| can cope 
with arbitrary initial configuration (including bivalent ones), most of the deterministic ones in the 
literature IfTTll assume robots always start from distinct locations (that is, the initial configuration 
contains no multiplicity points). Some recent work was devoted to relaxing this hypothesis in the 
deterministic case. Dieudonne and Petit ifTOll investigated the problem of gathering from any con¬ 
figuration (that is, the initial configuration can contain arbitrary multiplicity points): assuming 
that the number of robots is odd (so, no initial bivalent configuration can exist), they provide a 
deterministic algorithm for gathering starting from any configuration. Bouzid et al. 16] improved 
the result by also allowing an even number of robots to start from configurations that contain 
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multiplicity points (albeit the initial bivalent configuration is still forbiden due to impossibility 
results in this case). In that sense, the algorithm of Bouzid et al. |i6| is universal in the sense 
that it works for all gatherable configurations, including those with multiplicity points. Both 
aforementioned results assume that robots and are endowed with multiplicity detection and have 
a common chirality. A natural open question emerging from those works is whether any of those 
assumptions can be relaxed (not both of them can be relaxed at the same time, as impossibility 
results exist in this case itTSl ). 

Another line of work that is related to our concern that of using formal methods in the con¬ 
text of mobile robots 151 Sill [141 [H. Model-checking proved useful to hnd bugs in existing 
literature f3l] and assess formally published algorithms SO, in a simpler setting where robots 
evolve in a discrete space where the number of possible positions is hnite. Automatic program 
synthesis (for the problem of perpetual exclusive exploration in a ring-shaped discrete space) is 
due to Bonnet et al. f5l, and can be used to obtain automatically algorihtms that are “correct- 
by-design”. The approach was recently rehned by Millet et al. iTHl for the problem of gathering 
in a discrete ring network. As all aforementioned approaches are designed for a discrete setting 
where both the number of positions and the number of robots are known, they cannot be used 
in the continuous space where robots positions take values in a set that is not enumerable, and 
they cannot permit to establish results that are valid for any number of robots. Developed for 
the COQ proof assistant^] the Pactole framework enabled the use of high-order logic to certify 
impossibility results [2| for the problem of convergence: for any positive e, robots are required to 
reach locations that are at most e apart. Another classical impossibility result that was certihed 
using the Pactole framework is the impossibility of gathering starting from a bivalent conhgu- 
ration [8]. While the proof assistant approach seems a sensible path for establishing certihed 
results for mobile robots that evolve in a continous space, to this paper there exists no positive 
certihed result in this context. Expressing mobile robot algorithms in a formal framework that 
permits certihcation poses a double challenge: how to express the algorithm (that can make use 
of complex geometric abstractions that must be properly dehned within the framework), and how 
to write the proof? 

Our contribution 

Motivated by open problems on the gathering side and on the proof assistant side, we inves¬ 
tigate the possibility of universal gathering mobile oblivious robots (that is, starting from any 
initial conhguration that is not bivalent, using any number of robots) without relying on chirality 
(unlike ifTOlihl). 

We present a new gathering algorithm for robots operating in a continuous space that (i) 
can start from any conhguration that is not bivalent, (ii) does not put restriction on the number of 
robots, f Hi) does not assume that robots share a common chirality. We give very strong guaranties 
on the correctness of our algorithm by proving formally that it is correct, using the COQ proof 
assistant. To this goal we use the formal model and libraries we develop, and that has been 

’http;//coq.inria.fr 
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previously sketched in f2| and [8 |. 

To our knowledge, this is the first certified positive (and constructive) result in the context 
of oblivious mobile robots. It demonstrates both the effectiveness of the approach to obtain new 
algorithms that are truly generic, and its manageability since the amount of developped code 
remains human readable. Our bottom-up approach permits to lay sound theoretical foundations 
for future developments in this domain. 

Roadmap. 

The sequel of the paper is organised as follows. First, we recall the context of robot networks 
in Section |2] In Section [3l our algorithm is informally presented, along with the key points 
of its correctness proof. We present our formal COQ framework in Section |4j together with the 
formalization of the key concepts identified in the previous section. Section[5]investigates further 
some planned developments. 

The actual development for COQ 8.5 is available at 
http://pactole.lri.fr/pub/certified_gatheringlD.tgz 

2 Robot Networks 

We borrow most of the notions in this section from ifTSl [B [HI- The network consists in a set 
of n mobile entities, called robots, arbitrarily located in the space. Robots cannot communicate 
explicitely by sending messages to each others. Instead, their communication is based on vi¬ 
sion: they observe the positions of other robots, and based on their observations, they compute 
destination points to which they move. 

Robots are homogeneous and anonymous: they run the same algorithm (called robogram), 
they are completely indistinguishable by their appearance, and no identifier can be used in their 
computations. They are also oblivious, i.e. they cannot remember any previous observation, 
computation or movement performed in any previous step. 

For simplicity, we assume that robots are without volume, i.e. they are modeled as points that 
cannot obstruct the movement or vision of other robots. Several robots can be located at the same 
point, a tower is a location inhabited by (one or) several robots. The multiplicity of a location I, 
that is the number of robots at this location, is denoted by |(|. 

Visibility is global: the entire set of robots can always be seen by any robot at any time. 
Robots that are able to determine the exact number of robots occupying a same position (i.e., 
the multiplicity of a tower) enjoy strong multiplicity detection; if they can only know if a given 
position is inhabited or not, their multiplicity detection is said to be weak. 

Each robot has its own local coordinate system and its own unit measure. Robots do not 
share any origin, orientation, and more generally any frame of reference, but it is assumed that 
every robot is at the origin of its own frame of reference. 

At a given time, robots and their positions define a configuration. A configurafion thaf con- 
sisfs of exactly two towers of same cardinalities is said to be bivalent. 
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The degree of asynchrony in the robot swarm is characterised by an abstract entity called 
the demon (or adversary). Each time a robot is activated by the demon, it executes a complete 
three-phases cycle: Look, Compute and Move. During the Look phase, using its visual sensors, 
the robot gets a snapshot of the current configuration. Then, based only on this observed config¬ 
uration, it computes a destination in the Compute phase using its robogram, and moves towards 
it during the subsequent Move phase. Movements of robots are rigid, i.e. the demon cannot stop 
them before they reach the destination. 

A run (or execution) is an infinite sequence of rounds. During each round, the demon chooses 
a subset of robots and activates them to execute a cycle. We assume the scheduling to be fair, 

i.e. each robot is activated infinitely often in any infinite execution, and atomic in the sense that 
robots that are activated at the same round execute their actions synchronously and atomically. 
An atomic demon is called fully-synchronous (LSYNC) if all robots are activated at each round, 
otherwise it is said to be semi-synchronous (SSYNC). 

3 Setting and Robogram 

We consider a set of nG anonymous robots that are oblivious and equipped with global strong 
multiplicity detection (that is, they are able to count the number of robots that occupy any given 
position). The demon is supposed to be fair, and the execution model is SSYNC. 

The space in which they move is the real line M. Robots do not share any common direction 
of the line, nor any chirality. 

Any initial configuration is accepted as long as it is not bivalent (including those with mul¬ 
tiplicity points). Indeed, ifTSll shows that gathering is not solvable for two robots, and a formal 
certified proof fhaf fhe gafhering problem cannof be solved if bivalenf posifions are folerafed is 
available f8]. 

3.1 Robogram 

In fhis parficular case of fhe considered space being M, even if fhere is no common frame of 
reference, we have fhaf, for any configuralion, fhe sef of inhabifed locations fhaf are fhe most 
external is fhe same for all robofs. Hence, fhose mosf external inhabifed location define fhe same 
center of extrema fo all robofs, as well as fhe same sef of (sfricfly) inferior inhabifed locations. 
Based on fhis remark, we can define fhe robogram embedded in each robof as follows: 

1. If fhere is a unique locafion wifh highesf mulfiplicify, fhe desfinafion is fhaf location, 

2. Ofherwise, if fhere are exacfly fhree inhabifed locafions, fhe desfinafion is fhe one in be- 
fween, 

3. Ofherwise, if nof already af one of fhe mosf exfemal locafions, fhe desfinafion is fhe center 
of fhe mosf external ones. 

4. Otherwise, the destination is the origin (do not move). 
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An example execution of our robogram is presented in Figure [T] In the initial configura¬ 
tion (see Figure [Ufaj), only the third condition is enabled. The inner robots move toward the 
middle of the extremal robots. When there are three inhabited locations (see Figureonly 
the second condition is enabled, and extremal robots move toward the inner inhabited location. 
When a single highest multiplicity point is reached (see Figure [Hfcj), only the first condition is 
enabled,and all robots move toward it. After all robots gather (see Figure [T](r/j), only the fourth 
condition apply, and the configuration is final. 



(a) Initial configuration 


(b) Exactly three inhabited locations configuration 



(c) Unique highest multiplicity point configuration (d) Gathered configuration 

Figure 1: Example execution of our robogram. 

This descripfion of fhe profocol is obviously informal, however we presenf in Section lATl ifs 
formal version, Ihaf is, fhe COQ definilion of our algorilhm. 

3.2 Key points to prove correctness 

Some properfies are fundamenfal in our proof fhaf fhe algorifhm is a solution fo fhe problem of 
gafhering. Namely, thaf robofs move fowards fhe same location, fhaf a legal configuralion cannof 
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evolve into a forbidden (that is: bivalent) one, and finally that the configuation is eventually 
reduced to a single inhabited location. 

Robots that move go to the same location. 

Note that by robots “that move” we explicitely mean robots the destination of which is not their 
original location, and not robots that are activated (some of which may not move). Robots enjoy 
global strong multiplicity detection, hence they all detect if there is a unique tower with the 
highest multiplicity, thus sharing the destination (Phase [T]). If they do not find such a fower, 
fhey can all counf how many locations are inhabifed. Should fhey defecf fhaf fhere are only 
fhree of fhem (Phase |2l) fhen, as previously remarked, sharing fhe nofion of lower in belween, 
fhey also share fhe deslinafion. Finally if fhere is more lhan fhree inhabited locafions none of 
which holding more robofs fhan fhe olhers (Phase[3]), as mosl exlemal lowers are fhe same for all 
robols, robofs lo move go fhe locafion defined as fhe cenler of fhose external lowers, fhaf is fhe 
same deslinafion again. 

Further nole fhaf we aclually jusl showed fhaf all moving robols are in fhe same phase of fhe 
robogram, and fhaf fhe resulting deslinafion does nol depend on fhe frame of reference of fhe 
robol. 

Bivalent positions are unreachable. 

We require that the initial configuration does not consist of exactly two towers with the same 
multiplicity. One of the key points ensuring this algorithm’s correctness is that there is no way to 
reach a position that is bivalent from a position that is not bivalent. Consider two configurations 
Cq and Cl, Ci being bivalent and resulting from Cq by some round. Let us denote by |x|o (resp. 
|a:|i) the multiplicity of location x in Cq (resp. in Ci). By definition, Ci consists of two locations 
li and I 2 such that |ti|i = IZ 2 I 1 = As all moving robots go to the same location, we can 
assume without loss of generality that robots moved to, say, li, adding to its original multiplicity 
|Zi|o (which might have been 0). Since the configuration is now bivalent, this means that I 2 was 
inhabited in Cq and such that IZ 2 I 0 > ^ (some robot in I 2 might have moved to h). There 
cannot have been only one inhabited location I distinct from I 2 before the round because either 
l^lo = |^ 2 |o = ^ but we supposed the configuration was not bivalent, or |Z|o < ^ < IZ 2 I 0 but 
then by Phased] robots would have moved to I 2 and not li. Hence Cq consisted of I 2 and several 
inhabited li (i ^ 2) amongst which the robots not located in I 2 were distributed, but then none of 
the li could have held more than ^ — 1 robots, hence Phase dl should have applied and robots 
should have moved to I 2 , a. contradiction. 

Eventually no-one moves. 

The termination of the algorithm is ensured by the existence of a measure decreasing at each 
round involving a moving robot for a well-founded ordering. We then conclude using the as¬ 
sumption that the demon is fair. 
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The measure is defined as follows: we map any configuration C, to a {pi, G N x N such 
that Pi is the phase number of the moving robots, and: 

• mj is the number of robots that are not at the (unique) location of highest multiplicity, 

• mj is the number of robots that are not at the inhabited location in between. 


• mj is the number of robots that are neither at a most external location nor at their center. 


Let >N be the usual ordering on natural numbers, the relevant ordering >- is defined as the 
lexicographic extension of >f^ on pairs: 



P >N P', 



It is well-founded since >f^ is well-founded. We show that for any round on a configuration 
Ck resulting in a different configuration Ck+i, {pk-,rnFk) >- [Pk+i^rrfkdj^j^), hence proving that 
eventually there is no more change in successive configurations. 

4 A Formal Model to Prove Robograms 

To certify results and to guarantee the soundness of theorems, we use COQ, a Curry-Howard- 
based interactive proof assistant enjoying a trustworthy kernel. The (functional) language of 
COQ is a very expressive A-calculus: the Calculus of Inductive Constructions (CIC) fT]. In this 
context, datatypes, objects, algorithms, theorems and proofs can be expressed in a unified way, 
as terms. 

The reader will find in 0 a very comprehensive overview and good practices with reference 
to COQ. Developing a proof in a proof assistant may nonetheless be tedious, or require expertise 
from the user. To make this task easier, we are actively developing (under the name Pactole) a 
formal model, as well as lemmas and theorems, to specify and certify results about networks of 
autonomous mobile robots. It is designed to be robust and flexible enough to express most of the 
variety of assumptions in robots network, for example with reference to the considered space: 
discrete or continuous, bounded or unbounded... 

We do not expect the reader to be an expert in COQ but of course the specification of a model 
for mobile robots in COQ requires some knowledge of the proof assistant. We want to stress that 
the framework eases the developer’s task. The notations and definitions we give hereafter should 
be simply read as typed functional expressions. 

The formal model we rely on, as introduced in ||2l, exceeds our needs as in particular it 
includes Byzantine robots, which are irrelevant in the present work. The reader is invited to 
check that the actual code is almost identical. 


4.1 The Formal Model 


The Pactole modeHhas been sketched in 121 [H to which we refer for further details; we recall 
here its main characteristics. 

We use two important features of COQ: a formalism of higher-order to quantify over pro¬ 
grams, demons, etc., and the possibility to define inductive and coinductive types ifTTll to express 
inductive and coinductive datatypes and properties. Coinductive types are in particular of invalu¬ 
able help to express infinite behaviours, infinite datatypes and properties on them, as we shall see 
with demons. 

Robots are anonymous, however we need to identify some of them in the proofs. Thus, we 
consider given a finite set of identifiers, isomorphic to a segment of N. We hereafter omit this set 
G unless it is necessary to characterise the number of robots. Robots are distributed in space, at 
places called locations. We call a configuration Si function from a set of identifiers fo fhe space 
of locations. The sef of locafions we consider here is fhe real line M. 

Nofe fhaf from fhaf definifion, fhere is informalion abouf idenfifiers confained in configura- 
fions, in particular, equably belween configurafions does not simply boil down fo fhe equably of 
fhe mullisefs of inhabited locafions. 

Now if we are under fhe assumpfion fhaf robols are anonymous and indistinguishable, we 
have fo make sure fhaf Ihose idenfifiers are nol used by fhe embedded algorilhm. 

Spectrum. The compulalion of any robol’s largel locafion is based on fhe perception Ihey gel 
from fheir environmenf, fhaf is, in an SSYNC execution scheme, from a configuration. The re- 
sulf of Ihis observalion may be more or less accurate, depending on sensors’ capabilities. A 
robol’s perception of a configuralion is called a spectrum. To allow for differenl assumptions 
fo be sludied, we leave abslracl fhe lype spectrum (Spect .t) and fhe nolion of speclrum of a 
position. Robograms will Ihen oufpul a location when given a speclrum (instead of a configura¬ 
tion), fhus guarantying fhaf assumpfions over sensors are fulfilled. For insfance, fhe speclrum for 
anonymous robols wifh weak global multiplicity defection could be a sef of inhabifed locafions, 
i.e., wilhouf any mulfipbcily information. In a strong global mulfipbcily setting, a mullisel of 
inhabifed locafions is a suifable speclrum; fhaf is whal we use in Ihis work. 

In fhe following we will dislinguish a demon configuration (resp. speclrum), fhaf is expressed 
in fhe global frame of reference, from a robot configuration (resp. speclrum), fhaf is expressed 
in fhe robol’s own frame of reference. Al each slep of fhe dislribuled prolocol (see definition of 
round below) fhe demon configuralion and speclrum are Iransformed (i.e., recenlered, rolaled 
and scaled) info fhe considered robols ones before being given as paramefers fo robograms. De¬ 
pending on assumpfions, fhe zoom and rolafion factors may be fixed for each robol or chosen by 
fhe demon al each step. They may also be shared by all robols or nol, elc. 

Robogram. Robograms may be nalurally defined in a completely abstract manner, wilhouf any 
concrefe code, in our COQ model as follows. They consisl of an aclual algorilhm pgm fhaf fakes 

^Available at http: / /pactole .lri.fr 
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a spectrum as input and returns a location, and a compatibility property pgm_compat stating that 
target locations are the same if equivalent spectra are given (for some equivalence on spectra). 

Record robogram := { 

pgm :> Spect.t —>• Location.t; 

pgm_compat : Proper (Spect.eq^ Location.eq) pgm}. 

Of course it is possible to instanciate the robogram by giving a concrete definition of the 
program, and proving that the compatibility property holds. In our case, the type of locations is 
R. t (from the COQ library on axiomatic reals) and the program as described in Section l3d1 is: 

Definition robogram_pgm (s: Spect.t) : R.t := 

match Spect.support (Smax s) with (* Locations of max multiplicity *) 
I nil ^0 (* Only happens if no robot *) 

if beq_nat (length (Spect.support s)) 3 then 

List.nth 1 (sort (Spect.support s)) 0 (* Phase 2: between*) 

else if is_extremal 0 s then 0 (* ... stay... *) 

else extreme_center s (* Phase 3: center *) 

end. 

Note that this is almost exactly an ML code. 

The resulting instanciated robogram is defined under the name gathering_robogram. 

4.2 Formalising Key Points and the Main Theorem 

The key steps of our proof can be expressed as relatively straightforward statements. Theorem 
same_destination states that two robots idi and id 2 that are in the set of moving robots (i.e., 
the destination of which is not their current location) compute the same destination location (in 
the demons’s frame of reference). 

Theorem same_destination : V da config idl id2. 

In idl (moving gathering_robogram da config) 

-e- In id2 (moving gathering_robogram da config) 

-y round gathering_robogram da config idl = 
round gathering_robogram da config id2. 

By case on the phases of the robogram, and on the structure of the provided code. The formal 
proof is about 30 lines of COQ long. 

Theorem never_f orbidden says that for all demonic action da and configuration conf, if 
conf is not bivalent, then the configuration resulting from conf after the round defined by da and 
our robogram is not bivalent. 

Theorem never_forbidden : 

V da conf, -i forbidden conf 

-y -■ forbidden (round gathering_robogram da conf) . 

Proof is done by a case analysis on the set of towers of maximum height at the beginning. If 
there is none, this is absurd; if there is exactly one, the resulting configuration will have the 
same highest tower, a legal configuration. Now if there are at least two highest towers, then 
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if the resulting configuration is bivalent, at least one robot has moved (otherwise the original 
configuration would be bivalent, to the contrary of what is assumed), and all robots that move 
go to the same of the resulting two towers. The rest is arithmetics, as described on page |7] The 
proof of this key point is less than 100 lines of COQ script. 

It remains to state that for all demonic action da and configuration conf, if conf is not bivalent, 
and if there is at least one robot moving, then the configuration resulting from the round defined 
by da and our robogram on conf is smaller than conf. The ordering relation on configurations, 
called lt_conf, being the one described in section [T2l This is directly translated into the 
following theorem. 

Theorem round_lt_conf : V da conf, 

-1 forbidden conf —>■ moving gathering_robogram da conf f nil 
—>■ lt_conf (round robogram da conf) conf. 

A general description on how to characterise a solution to the problem of gathering has been 
given in |'8]. We specialise this definition here to take into account that an initial configuration 
is not bivalent. This is straightforward: any robogram r is a solution w.r.t. a demon d if for 
all configuration conf that is not bivalent, there is a point pt to which all robots will eventually 
gather (and stay) in the execution defined by r and d, and starting from conf. 

Definition solGathering (r : robogram) (d : demon) := 

V conf, -1 forbidden conf —>■ 3 pt : R, WillGather pt (execute r d conf) . 

The theorem stating the correctness of our robogram is then simply: for all demon d that is 
fair, gathering_robogram is a solution with reference to d. 

Theorem Gathering_in_R : 

V d. Fair d —>■ solGathering gathering_robogram d. 

The proof is led by well-founded induction on the lt_conf relation. If all robots are gath¬ 
ered, then it is done. If not, by fairness some robots will have to move, thus a robot will be 
amongst the first to move. (Formally, this is an induction using fairness.) We conclude by using 
the induction hypothesis (of our well-founded induction) as this round decreases the measure 
on configurations (theorem round_lt_conf). This proof of the main theorem is interestingly 
small as it is only about 20 lines of COQ. 

The whole file dedicated to specification and certification of our algorithm (RDVinR.v) is 
about 2300 lines long. It includes 460 lines of definitions, specification and intermediate lemmas, 
and approximately 1460 lines of actual proof. 

5 Perspectives 

We proposed a new algorithm to gather anonymous and oblivious robots on a continuous un¬ 
bounded space: the real line M, without relying on a shared orientation or chirality, and allowing 
for any initial configuration that is not bivalent. This protocol is certified correct for any positive 
number of robots (more than 2) using our actively developed COQ framework for networks of 
mobile robots, which is publicly available to the research community. 
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A next step would be to add more dimensions to the eonsidered Euelidian spaee, first by 
eonsidering gathering in As the framework is highly parametrie, speeifying another spaee in 
whieh robots move is not a dramatie ehange: the type of loeations is a parameter, it is left abstraet 
throughout the majority of the formalism, in whieh a eonerete instanee is not needed. 

Another interesting evolution would be to take into aeeount the more general ASYNC model, 
that is when Look-Compute-Move eyeles and phases are not atomie anymore. Deseribing be¬ 
haviours that are ASYNC in COQ may nonetheless add to the intrieaey of formal proofs, and 
relevant libraries to ease the task of the developer will have to be provided aeeordingly. 
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